Did BCBST get off easy? Well, they certainly did a good job of damage control. But in today’s environment, I doubt anyone could follow suit. BCBST very likely benefitted from HHS/OCR not being in position to immediately enforce the Breach Rule given that the HITECH Act itself has only just been enacted a few months prior to the breach. Now, some 2½ years later, they’ve had a chance to implement a stronger IT security program, including the encryption of its PHI data-at-rest, a step we at Redspin strongly advocate. Also, no cases of ID theft or fraud have come to light as a result of their breach.

At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare IT security called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce the risk of data breach.

With an over 15-year successful track record, Redspin is one of the most trusted cyber security names in the industry. Our proven real-world approach has been applied and refined throughout 1000's of security assessments, giving you the best possible return on your investment.

Our world-class award winning security engineering team is on the front lines every day, ensuring our clients are protected from the latest 'in-the-wild' threats and exploits.